Does ClassicPress have a checksums API like WordPress? For example: https://api.wordpress.org/core/checksums/1.0/?version=5.2.3 . I’m testing a ThreatPress plugin, but I get wrong results because checksums doesn’t match. I chatted with the developer, and chances are, that this plugin can be released for the ClassicPress too, he just needs a correct checksum API.
As far as I recall we only the following api endpoints:
If we don’t, what would be required for us to provide this?
No, we don’t have that yet. Getting the hashes is the simple bit - distributing them in a way that preserves (and ideally, enhances) the existing chain of trust takes more work. Again, the code is the easy part, it’s everything else that’s harder.
@james we need to sort out our PKI so we can make this happen.
The developer of Shield Security has implemented this himself. It might be worth taking a look at how he did it.
I agree we should have our own checksums API though. Tracking the task on GitHub here: https://github.com/ClassicPress/ClassicPress-APIs/issues/16
Let’s come up with a high-level plan for this, at the moment I am not sure what exactly you have in mind. I think you also had some initial code for this. Can you leave some details/links on that GitHub issue?
As James mentioned, I’ve built my own implementation for this and it works a treat. I’m happy to help out and contribute in some way if you need something setup to do this.
Something you might consider doing, which is what I was doing before I built wphashes.com, was have each site individually build the hashes it needed. As someone said, the code itself isn’t complicated, but if you’re not in a position to create a central API, you could have CP itself do the leg work.
Basically, we need to create a root cert and a CA; that way we can be sure we’re talking to a CP server, and can sign the hashes in a way that’s easy to check using what we’ve already got. Code for the first part is trivial - I have it working locally - but the second requires storing the root key offline in at least 2 properly secure locations. Signing the hashes is also trivial, but we need to nail down the work flow changes.